docs(tutorials/aws): document AWS SDK credential provider chain#6444
docs(tutorials/aws): document AWS SDK credential provider chain#6444alekc wants to merge 5 commits into
Conversation
ExternalDNS resolves AWS credentials via the aws-sdk-go-v2 default credential provider chain (provider/aws/config.go uses config.LoadDefaultConfig), so any credential source the SDK supports works — including AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY env vars, AWS_SHARED_CREDENTIALS_FILE / AWS_CONFIG_FILE, EC2 instance profile, ECS container credentials, and EKS Pod Identity. The tutorial previously documented only three deployment patterns (Node IAM Role, mounted credentials file, IRSA), leaving users to guess that env vars work or dig through Helm chart values. Add a note pointing at the AWS SDK reference for the full chain plus a tip showing the env-var pattern via the Helm chart's env: block, which is the concrete recipe users have been reconstructing from scratch. Refs kubernetes-sigs#5265
Be explicit that the env-var example targets the in-tree external-dns Helm chart under charts/external-dns/, since multiple community charts named "external-dns" exist with different value schemas.
k8s-ci-robot
added
the
needs-ok-to-test
|
Hi @alekc. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Regular contributors should join the org to skip this step. Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
added
size/M
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
u-kai
left a comment
u-kai
left a comment
There was a problem hiding this comment.
Thank you for the PR!
I've left a few comments, so please take a look.
| > ExternalDNS resolves AWS credentials through the | ||
| > [AWS SDK for Go v2 default credential provider chain](https://docs.aws.amazon.com/sdk-for-go/v2/developer-guide/configure-gosdk.html#specifying-credentials). | ||
| > The methods documented below are the common deployment patterns, but any source supported | ||
| > by the SDK works without additional configuration in ExternalDNS — including environment |
There was a problem hiding this comment.
For the NOTE block, I think it would be cleaner to just include the link to the SDK reference without listing envs.
Please let me know if I'm missing something.
There was a problem hiding this comment.
reduced overall explanation to keep it minimal
| > precedence order. | ||
|
|
||
| > [!TIP] | ||
| > To pass static credentials as environment variables (e.g. when running outside AWS and |
There was a problem hiding this comment.
The Helm values example looks good to me!
However, I'd prefer to see the TIP moved closer to the existing Static credentials section, since that's where users looking for credential setup would naturally land.
…lowing feedback Signed-off-by: Alexander Chernov <alexander@chernov.it>
k8s-ci-robot
added
size/S
…cumentation Signed-off-by: Alexander Chernov <alexander@chernov.it>
k8s-ci-robot
added
size/M
|
Added risks from usage of static vars. Amended other 2 notes |
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
Coverage Report for CI Build 26185204036Warning Build has drifted: This PR's base is out of sync with its target branch, so coverage data may include unrelated changes. Coverage decreased (-0.01%) to 80.621%Details
Uncovered ChangesNo uncovered changes found. Coverage Regressions8 previously-covered lines in 1 file lost coverage.
Coverage Stats
💛 - Coveralls |
| > **For AWS specifically, the best practice and recommended hierarchy is:** | ||
| > 1. **IRSA (preferred):** Map an AWS IAM role to a Kubernetes service account; no static credentials in the pod. | ||
| > 2. **EKS Pod Identity:** Native EKS alternative to IRSA; associates IAM role with a service account via the Pod Identity Agent. | ||
| > 3. **Node IAM Role:** Attach policy to the node instance profile; not recommended beyond tests because all pods on the node inherit the permissions. Tolerated, but not recommended. | ||
| > 4. **Mount credentials file:** Minimize privileges and avoid long-lived keys where possible. | ||
| > 5. **Environment variables:** Minimize privileges and avoid long-lived keys where possible. | ||
|
|
||
| This method is not the preferred method as the secrets in the credential file or environment variables could be copied and used by an unauthorized threat actor. |
There was a problem hiding this comment.
I agree with highlighting the risks of static credentials.
For the AWS-specific recommendations, would it make sense to simplify this section and instead link to the official AWS guidance?(e.g: https://docs.aws.amazon.com/eks/latest/userguide/service-accounts.html)
I think that may age better than maintaining a recommendation hierarchy directly in this document.
@ivankatliarchuk
What do you think?
There was a problem hiding this comment.
I can link it. My issue with simplification here is that AWS guidance doesn't really says whats the optimal hierarchy for all different creds. We could add a link with for the latest and up to date guidance check http://xxx at the bottom of the note?
There was a problem hiding this comment.
I think adding the AWS official guidance link makes sense.
Maybe we can:
- keep the warning about static credentials,
- briefly mention commonly recommended approaches such as IRSA and EKS Pod Identity,
- and point readers to the official AWS documentation for the latest and most accurate guidance.
That would keep the document useful while reducing long-term maintenance and recommendation drift.
…ction The Lint workflow rejected the previous commits with MD004/MD030/MD032/ MD028/MD031/MD022 violations against the static-credentials blockquote. Convert bullet markers from `*` to `-` (MD004) and trim the spacing after markers to one space (MD030). Add the blank-blockquote separator lines before each list inside a blockquote (MD032). Add a non-blockquote separator between the two consecutive `[!TIP]` callouts (MD028). Add the blank line between the closing fence and the next heading (MD031, MD022). Refs: kubernetes-sigs#5265 Signed-off-by: Alexander Chernov <alexander@chernov.it>
|
Fixed markdown linting |
5 participants
What does it do ?
Documents that ExternalDNS resolves AWS credentials via the
aws-sdk-go-v2 default credential provider chain,
plus a concrete env-var example for the in-tree Helm chart.
Motivation
Fixes #5265. Per the thread, links to the SDK reference instead of
enumerating every credential source, and adds one minimal recipe.
More